OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

D405f3b9dc9fa223f6fa507717f41372?s=47 bungoume
August 05, 2017

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

D405f3b9dc9fa223f6fa507717f41372?s=128

bungoume

August 05, 2017
Tweet

Transcript

  1. 1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  2. 2 ࣗݾ঺հ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ Python, Elasticsearch, Docker

  3. 3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥ؅ཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

  4. 4 ηΩϡϦςΟڴҖ վ͟Μɾ৘ใྲྀग़ ϥϯαϜ΢ΣΞ etc… ɾ಺෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞ΢Υʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)

    ੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ͸֎෦ͱ಺෦ ྆ํʹજΉ
  5. ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷ෼ྨ ɾ༧๷ɿΞΫηε੍ޚͳͲ ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥ ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢ Ұൠʹ4ͭʹ෼ྨ ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

  6. 6 ৵ೖ΁ͷؾ͖ͮํ ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘ ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮ ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ← ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋ * FireEye

    M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html
  7. 7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌ ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

  8. 8 ಺෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜ؅ཧऀͷೝূϩά͕ॏཁ ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

  9. 9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏ Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ ؂ࠪϩάͱͯ͠ྑͦ͞͏

  10. 10 audit log # systemctl start auditd # auditctl -a

    always,exit -F arch=b64 -S execve ls ͚ͩͰෳ਺ߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log
  11. 11 audit logΛ׆༻͍ͨ͠ ɾgo-audit Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!

    ɾosquery ↑ࠓճ͸͜Ε ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏
  12. 12 osquery Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ ஫:

    OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ
  13. 13 osquery 2017/8/3 ݱࡏ githubͷstar͸9501 Linux Security Tools (Top 100)

    *ͷ10൪໨ʹ঺հ * https://linuxsecurity.expert/security-tools/top-100/
  14. 14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/

  15. 15 ࿅श: macͰosquery $ brew install osquery

  16. 16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ෼͔Δ

  17. 17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart

  18. 18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

  19. 19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋ vim /etc/osquery/osquery.conf

  20. 20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ৔߹͸ ΋ඞཁ
 ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

  21. 21 process_events ϩά lsͷ࣮ߦϩά

  22. 22 socket_events ϩά

  23. 23 ϑΝΠϧ੔߹ੑ؂ࢹ ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ vim /etc/osquery/osquery.conf

  24. 24 ϑΝΠϧ੔߹ੑ؂ࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋ echo “message” >> /etc/test ޙͷϩά

  25. 25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ
 ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏ υΩϡϝϯτ΋ॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

  26. 26 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌
 લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍৔߹ - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹

    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ
  27. 27 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

  28. 28 ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυ΢ΣΞ઀ଓϩά

  29. 29 ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤) ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ ɾhomebrew౳ϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏

    5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537
  30. 30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ hardware-monitoring

  31. 31 osquery.conf ઃఆྫ ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

  32. 32 Logrotate΋๨Εͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

  33. 33 ϩάΛूΊΔ S3

  34. 34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯

  35. 35 Elasticsearch΁ϩάอଘ

  36. 36 ϢʔβͷίϚϯυཤྺ

  37. 37 sshdϩάΠϯࢼߦ

  38. 38 ϩάͷ࢖͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ Elastalert΍WatcherΛར༻ͯ͠ ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

  39. 39 νϟοτπʔϧʹ௨஌ ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔
 ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

  40. 40 ஫ҙ఺ͳͲ ɾosqueryͷ։ൃ͸׆ൃ ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ͸100MB΄Ͳফඅ ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?) ɾosqueryd͸εέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

  41. 41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  42. 42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  43. 43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏ ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

  44. 44 osquery͸ۜͷ஄ؙͰ͸ͳ͍ ૊Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰ͸ͳ͘

  45. 45 osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏